Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch: > Of course I assume that the user won't go over the list of root CAs and > delete almost all of them. Barely nobody does that.
People have to be encouraged to do this and helped with lists and tools. It will raise the security bar a bit on this suboptimal system. Am Freitag, 25. März 2011 17:36:51 schrieb Werner Koch: > Sure, though then I'd rather trust a root CA from the US or Germany > then I would trust one from Libya. At least I can decide. > > You can't. What I mean is, if I remove this root CA from my list of trusted roots. Which is something I can do, I just need the information to do the decision, which is currently missing in a well accessible and understandable form. > A (say) Chinese root CA has the same level of > trustworthiness as a German one. IIRC, there is a plugin which does > some heuristics to decide whether a CA is plausible for a given URL, but > that is merely a kludge to overcome obviously "faked" certificates. Maybe it is an idea to implement further restrictions: a) only trust specific subca b) only give a range of TOP level domains to a root or subca -- FSFE -- Deputy Coordinator Germany (fsfeurope.org) Your donation makes our work possible: www.fsfeurope.org/help/donate.en.html
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Discussion mailing list [email protected] https://mail.fsfeurope.org/mailman/listinfo/discussion
